NT Hashes Dumper

You should be familiar with the well known
tool PWDUMP2 from Todd Sabin; it is
an application which dumps the password hashes (OWFs) from NT's SAM (Security
Account Manager) database, whether or not SYSKEY is enabled on the system.
Cain's NT Hashes Dumper does exactly the same thing and allows you to
import password hashes directly into the relative "LM & NTLM
Hashes" password cracker tab.

What Cain's NT Hashes Dumper offers more
than PWDUMP2 is the ability to dump password
history hashes. Windows can be instructed to remember a number of previous
user's passwords using the Password Security Policy "Enforce Password
History". In this way the user cannot choose a password used before
as the new one. The operating system stores history passwords under the
same form as those currently used but those kind of hashes are not returned,
as in PWDUMP2, by the "SamrQueryInformationUser" function of
SAMSRV.DLL; they have to be extracted using the native function "SamIGetPrivateData"
and decrypted later by "SystemFunction025" and "SystemFunction027"
of ADVAPI32.DLL.

How it works

This feature of the program follows the
same methodology used by Todd Sabin in his PWDUMP2 program to dump NT
hashes present on the system. It uses the "DLL injection" technique
to run a thread in the same security context of the Local Security Authority
Subsystem process. The thread's executable code must first be copied to
the address space of LSASS process and this requires an account with the
SeDebugPrivilege user right. By default only Administrators have this
right.

Once injected and executed the thread will
run with the same access privileges of the Local Security Authority Subsystem;
it will load the functions "DumpHashes"and "DumpHistory"
from Abel.dll that will enumerate user's hashes present in the SAM database.
This is done by mean of some native functions of SAMSRV.DLL library like
"SamrEnumerateUsersInDomain", "SamrOpenUser", "SamrQueryInformationUser"
and "SamIGetPrivateData". The thread stores the data returned
from these functions in two temporary files named hashes.txt and history.txt
located in the same directory of the program. Finally, the content of
these files is put on the screen and the temporary files are deleted.

Cain can also import SYSKEY encrypted NT
hashes from "off-line" SAM database files. This feature requires
the correct Boot Key (Startup Key), created with the SYSKEY utility, to
decrypt the encrypted hashes. The Boot Key is usually stored in the SYSTEM
registry file, you can use Cain's Syskey
Decoder to recover it for you.

Usage

To dump NT hashes you can press the "Insert"
button on the keyboard or click the icon with the blue + on the toolbar.

From the dialog you can choose the source
of the import function, the local system, a text file (from PWDUMP or
L0phtCrack) or an off-line SAM file.

If you need to recover hashes from a SAM
file not encrypted by SYSKEY, simply leave the Boot Key field empty.

Once dumped, password hashes can be sent
to LM & NTLM cracker using the list pop up menu.

Requirements

The local system import function requires
an account with the SeDebugPrivilege user right. By default
only Administrators have this right. Abel.dll is also required by the
remote thread injected into LSASS process. The extraction from a SYSKEY
encrypted SAM file requires the correct Boot Key to decode the hashes.